Skip to main content

How are current and projected risk calculated?

James Rabe
  • Updated

Introduction

This article explores the three primaries types of risk calculated in IriusRisk and explores how current and projected risk is calculated. 

Risk types - Inherent, Current, and Projected

Each threat in IriusRisk has three different risk values all of them with a maximum value of 100 and a minimum value of 0.

Inherent risk: This is the "starter" risk the one that represents the risk natural to affected assets and it's exposure. Inherent risk represents the complete risk with zero mitigations being applied to this given scenario.  

Formula 1 - Inherent Risk = impact x likelihood (NOTE: the formula for inherent risk is independent of currently in place mitigations or planned mitigations. It is based solely on the threats, assets, and weaknesses associated within). 

 

Current risk: This is the current risk value which is equal to inherent risk minus currently implemented mitigations or countermeasures.

Formula 2 - Current Risk = Inherent Risk - implemented mitigation

 

Projected risk: This is our goal risk the one we will have once we have already implemented all required countermeasures. It's calculated by subtracting from the inherent risk the risk reduction produced for all implemented and required countermeasures. It's exactly like calculate the current risk assuming that all required countermeasures are already implemented.

Formula 3 - Projected Risk = Current risk - planned mitigations (countermeasures in a required status)

 

The qualitative output of these three variables can be seen within the threats interface within IriusRisk. 

2022-08-22_11_18_14-AWS_Environment___IriusRisk.png

Quantitative values are translated into qualitative outputs as stated here

 

Calculating Current Risk

Control risk reduction

Risk reduction is a value between 0 and 100 and represents the decrement in the threat's risk produced by each of its countermeasures. In the following flow diagram, we can see how is calculated:

 

control-risk-reduction__1_.png

Mitigation is a percentage value that represents the share of the risk reduced by the implementation of a control

MITIGATEasd123dghsdg345sdgsdgtempsnip.png

 

Risk increment

The risk increment is an integer value between 0 and 100 that represents the increase on the threat's risk produced by failing weakness tests. Among all weakness with failed tests we will select the one with a higher impact rating and we will multiply that of a configurable factor (by default 0) to get the risk increment value.

 

Weakness Test result Impact rating
Weakness1 PASSED 100
Weakness2 FAILED 50
Weakness3 FAILED 80

 

Since the default factor for risk increment is 0 the result would be 0 * 80 = 0. But we need to be aware that customers might configure a different value for this factor.

By default, a weakness is created with an impact rating of 100.

 

Current risk calculation use case

Now we are going to do the maths in the real case describes in the section "Inherent risk calculation use case" and the inherent risk calculated in it.

As we already know the inherent risk is 71 and we have 3 controls of the same weakness :

→Weakness 1 (impact: 80)

    →Control 1 (mitigation: 80, state: implemented, test: passed)

    →Control 2 (mitigation: 20, state: required, test: not tested)

    →Control 3 (mitigation: 30, state: recommended, test: not tested)

 

Calculate risk reduction for each countermeasure

We have to point out that in our code the real formula used for calculating the risk reduction value is:

 

factor * mitigation / 100 *inherentRisk

 

We have two different configurable values for factor:

  • MITIGATION_FACTOR_CONTROL_TEST_PASSED: The one used when the countermeasure's test is passed. By default 1.

  • MITIGATION_FACTOR_CONTROL_IMPLEMENTED: The one used when the countermeasure is in state implemented and its test is not failed. By default 1.

Since by default the value for factor in all cases is 1 it doesn't make a difference in this calculation, but we must be aware that our costumers might have configured different values.

Following the decision diagram for control's risk calculation and using the default factor values we can get the following risk reductions:

  • Control1: mitigation(80) * factor(1)  / 100 * inherentRisk(71) = 56.8 → 57
  • Control20
  • Control30

Being the sum of all of them 57 + 0 + 0 = 57

 

 

Calculate risk increment

Since we don't have any weakness with a failed test result, the value or risk increment is 0. As a matter of fact, even if we had a weakness of such type the configurable factor for risk increment is 0 by default so it would be 0 anyway. The only case when this value has an impact on the current risk calculation is when the customer has set a different value for the configurable factor. 

 

Putting all together

Since we already have the values for inherent risk, the sum of all control's risk reduction values and the risk increment value we can calculate the current risk like this:

 

inherentRisk(71) - controlsRiskReduction(57) + riskIncrement(0) = 14

 

 

Projected risk = Inherent risk - sum(all controls risk reduction)

The projected risk is our goal risk the one we will achieve once we get to correctly implement all required countermeasures. Therefore, the way we calculate the projected risk is quite similar to the way we calculate the current risk, the only difference is that in this calculation we are going to assume that all required countermeasures are correctly implemented.

 

Inherent risk

Represents the natural risk of a threat and depends on the probability and the impact of the threat. The correct way to calculate inherent risk is explained in the previous section.

 

Control risk reduction

Risk reduction is a value between 0 and 100 and represents the decrement in the threat's risk produced by each of its countermeasures. 

In this case, we are going to do exactly the same that in current risk but assuming the following statements:

  • All required countermeasures are implemented
  • All weakness tests are passed
  • All tests for required and implemented countermeasures are passed

Therefore the risk reduction is mitigation / 100 * inherentRisk for all required and implemented countermeasures and 0 for all other cases.

 

Projected risk calculation use case

Now we are going to do the maths with the real case described in the section "Inherent risk calculation use case" and the inherent risk calculated in it.

As we already know the inherent risk is 71 and we have 3 controls of the same weakness :

→Weakness 1 (impact: 80)

    →Control 1 (mitigation: 80, state: implemented, test: passed)

    →Control 2 (mitigation: 20, state: required, test: not tested)

    →Control 3 (mitigation: 30, state: recommended, test: not tested)

 

Calculate risk reduction for each countermeasure

We have to point out that in our code the real formula used for calculating the risk reduction value is:

 

factor * mitigation / 100 * inherentRisk

 

We have two different configurable values for factor:

  • MITIGATION_FACTOR_CONTROL_TEST_PASSED: The one used when the countermeasure's test is passed. By default 1.

  • MITIGATION_FACTOR_CONTROL_IMPLEMENTED: The one used when the countermeasure is in state implemented and its test is not failed. By default 1.

Since by default the value for factor in all cases is 1 it doesn't make a difference in this calculation, but we must be aware that our costumers might have configured different values.

The projected risk reduction for each countermeasure would be:

  • Control1: mitigation(80) * factor(1)  / 100 * inherentRisk(71) = 56,8 → 57
  • Control2: mitigation(20) * factor(1)  / 100 * inherentRisk(71) = 14,2 → 15
  • Control30

Being the sum of all of them 57 + 15 + 0 = 72

 

Putting all together

Since we already have the values for inherent risk, the sum of all control's risk reduction values and the risk increment value we can calculate the current risk like this:

 

inherentRisk(71) - controlsRiskReduction(72) + riskIncrement(0) = -1 → 0

 

Planned mitigation percentage

This percentage is shown in the threats table an represents the progress within the threat's mitigation. It's calculated by adding all the mitigation values from all the required threads which tests results are not passed

 

PERCENT1232bhjkgh6789tempsnip.png

 

Calculate planned mitigation percentage use case

Now we are going to do the maths with the real case described in the section "Inherent risk calculation use case".

As we already know we have 3 controls:

    →Control 1 (mitigation: 80, state: implemented, test: passed)

    →Control 2 (mitigation: 20, state: required, test: not tested)

    →Control 3 (mitigation: 30, state: recommended, test: not tested)

The only required and not passed control is Control 2 so:

 

sumOfRequredNotPassedMitigations(20) = 20

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk